Interop Labs Network Access Control

Transcription

1 Interop Labs Network Access Control Interop Las Vegas 2007 Jan Trumbo

2 Interop Labs Interop Labs are: Technology Motivated, Open Standards Based, Vendor neutral, Test and Education focused, Initiatives With team members from: Industry Academia Government Visit us at Booth 122! Technical contributions to this presentation include: Steve Hanna, Juniper Networks and TCG TNC Kevin Koster, Cloudpath Networks, Inc. Karen O Donoghue, Joel Snyder, and the whole Interop Labs NAC team Interop Labs Network Access Control, May 2007, Page 2

3 Objectives This presentation will: Provide a general introduction to the concept of Network Access Control Highlight the three most well known solutions Provide a context to allow a network engineer to begin to plan for NAC deployment Articulate a vision for NAC This presentation will not: Provide specifics on any of the three major approaches introduced Delve into the underlying protocol details Interop Labs Network Access Control, May 2007, Page 3

4 Why Network Access Control? Desire to grant different network access to different users, e.g. employees, guests, contractors Network endpoints can be threats Enormous enterprise resources are wasted to combat an increasing numbers of viruses, worms, and spyware Proliferation of devices requiring network connectivity Laptops, phones, PDAs Logistical difficulties associated with keeping corporate assets monitored and updated Interop Labs Network Access Control, May 2007, Page 4

5 Network Access Control is Who you are should determine What you can access Interop Labs Network Access Control, May 2007, Page 5

6 Who Has Several Facets User Identity + End-point Security Assessment + Network Environment Interop Labs Network Access Control, May 2007, Page 6

7 Access Policy May Be Influenced By Identity Jim (CTO), Steve (Network Admin), Sue (Engineering), Bob (Finance), Brett (Guest) Location Secure room versus non-secured room Connection Method Wired, wireless, VPN Time of Day Limit after hours wireless access Limit access after hours of employee s shift Posture A/V installed, auto update enabled, firewall turned on, supported versions of software Realtime traffic analysis feedback (IPS) Interop Labs Network Access Control, May 2007, Page 7

8 IF user group= phone THEN VLAN= phone-vlan Sample Policy ELSE IF non-compliant AND user = Alice THEN VLAN= quarantine AND activate automatic remediation ELSE IF non-compliant AND user = Bob THEN VLAN= quarantine ELSE IF compliant THEN VLAN= trusted ELSE deny all Interop Labs Network Access Control, May 2007, Page 8

9 NAC is More Than VLAN Assignment Additional access possibilities: Access Control Lists Switches Routers Firewall rules Traffic shaping (QoS) Non-edge enforcement options Such as a distant firewall Interop Labs Network Access Control, May 2007, Page 9

10 NAC is More Than Sniffing Clients for Viruses Behavior-based assessment Why is this printer trying to connect to ssh ports? VPN-connected endpoints cannot access HR database You need control points inside the network to make this happen Interop Labs Network Access Control, May 2007, Page 10

11 Generic NAC Components Access Requestor Policy Enforcement Point Policy Decision Point Network Perimeter Interop Labs Network Access Control, May 2007, Page 11

12 Sample NAC Transaction Posture Collector Posture Collector Posture Collector 1 Network Enforcement Point 6 Posture Posture Posture Validator Validator Validator Client Broker Network Access Requestor 2 Access Requestor Policy Enforcement Point 7 Server Broker Network Access Authority Policy Decision Point Interop Labs Network Access Control, May 2007, Page 12

13 Access Requestors Sample Access Requestors Laptops PDAs VoIP phones Desktops Printers Posture Posture Collector Collector Client Broker Network Access Requestor Access Requestor Components of an Access Requestor/ Endpoint Posture Collector(s) Collects security status information (e.g. A/V software installed and up to date, personal firewall turned on) May be more than one per access requestor Client Broker Collects data from one or more posture collectors Consolidates collector data to pass to Network Access Requestor Network Access Requestor Connects client to network (e.g X supplicant or IPSec VPN client) Authenticates user Sends posture data to Posture Validators Interop Labs Network Access Control, May 2007, Page 13

14 Policy Enforcement Points Network Enforcement Point Policy Enforcement Point Components of a Policy Enforcement Point Network Enforcement Point Provides access to some or all of the network Sample Policy Enforcement Points Switches Wireless Access Points Routers VPN Devices Firewalls Interop Labs Network Access Control, May 2007, Page 14

15 Policy Decision Point Posture Validator Server Broker Network Access Authority Policy Decision Point Components of a Policy Decision Point Posture Validator(s) Receives data from the corresponding posture collector Validates against policy Returns status to Server Broker Server Broker Collects/consolidates information from Posture Validator(s) Determines access decision Passes decision to Network Access Authority Network Access Authority Validates authentication and posture information Passes decision back to Policy Enforcement Point Interop Labs Network Access Control, May 2007, Page 15

16 What is it? TCG TNC Microsoft NAP Cisco NAC InteropLabs Network Access Control Architecture Alphabet Soup Posture Collector Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-todate?' Client Broker "Middleware" that runs on the client and talks to the Posture Collectors, collecting their data, and passing it down to Network Access Requestor Network Access Requestor Software that connects the client to network. Examples might be 802.1X supplicant or IPSec VPN client. Used to authenticate the user, but also as a conduit for Posture Collector data to make it to the other side Posture Collector Client Broker Network Access Requestor Network Enforcement Point Integrity Measurement Collector TNC Client Network Access Requestor System Health Agent NAP Agent NAP Enforcement Client What is it? TCG TNC Microsoft NAP Cisco NAC Network Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall. Posture Validator Third-party software that receives status information from Posture Collectors on clients and validates the status information against stated network policy, returning a status to the TNC Server Server Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Network Enforcement Point. Policy Enforcement Point Integrity Measurement Verifier TNC Server Network Access Authority NAP Enforcement Server System Health Validator NAP Administration Server Network Policy Server Posture Validator Server Broker Network Access Authority Network Access Device Policy Vendor Server Access Control Server Access Control Server Posture Plug-in Applications Cisco Trust Agent Cisco Trust Agent IETF terms 2006Apr04

17 Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined Interop Labs Network Access Control, May 2007, Page 17

18 Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined Interop Labs Network Access Control, May 2007, Page 18

19 NAC Solutions There are three prominent solutions: Cisco s Network Admission Control (CNAC) Microsoft s Network Access Protection (NAP) Trusted Computer Group s Trusted Network Connect (TNC) There are several proprietary approaches that we did not address Interop Labs Network Access Control, May 2007, Page 19

20 Cisco NAC Network Admission Control Strengths Many posture collectors for client Installed base of network devices Limitations More options with Cisco hardware Not an open standard Requires additional supplicant Status Product shipping today Interop Labs Network Access Control, May 2007, Page 20

21 Microsoft NAP Network Access Protection Strengths Part of Windows operating system Supports auto remediation Network device neutral Limitations Part of Windows operating system Not an open standard Status Client (Vista) shipping today; will be in XP SP3 Linux client available Server (Longhorn) still in beta; 3rd parties shipping Expect Longhorn (Windows Server 2008) release in 2007?? Interop Labs Network Access Control, May 2007, Page 21

22 Trusted Computing Group (TCG) Trusted Network Connect (TNC) Strengths Open standards based Not tied to specific hardware, servers, or client operating systems Multiple vendor backing - Juniper, Microsoft Limitations Potential integration risk with multiple parties Status Products shipping today Tightly integrated with Microsoft NAP but products not shipping yet (Monday announcement) Updated specifications released May 2007 Interop Labs Network Access Control, May 2007, Page 22

23 TNC Architecture Source: TCG Interop Labs Network Access Control, May 2007, Page 23

24 Current State of Affairs Multiple semi-interoperable solutions Cisco NAC, Microsoft NAP, TCG TNC Conceptually, all 3 are very similar All with limitations Industry efforts at convergence and standardization TCG IETF Interop Labs Network Access Control, May 2007, Page 24

25 Getting Started - What s Most Important to You? User Authentication End Point Security Enforcement Granularity Very Important Not Very Important Very Important Not Very Important Very Important Not Very Important Where will NAC apply? VPN WLAN Guests Desktops Computer Room Everywhere Interop Labs Network Access Control, May 2007, Page 25

26 Where Can You Learn More? Visit the Interop Labs Booth (#122) Live Demonstrations of all three major NAC architectures with engineers to answer questions Visit Interop Labs online: Interop Labs white papers, this presentation, and demonstration layout diagram Network Access Control VOIP: Wireless & Security Interop Labs Network Access Control, May 2007, Page 26

27 Interop Labs Network Access Control, May 2007, Page 27

28 Gigamon net monitor Devices Spectrum Trend Micro LANDesk Cisco CSA Cisco CTA Posture Collectors Client Broker & Network Access Requestor Cisco NAC-Capable Client PatchLink Wave Systems Juniper UAC Posture Collectors Client Broker & Network Access Requestor TCG TNC-Capable Client Trend Micro Posture Collectors Client Broker & Network Access Requestor Microsoft NAP-Capable Client Axis Camera 802.1X/TLS Microsoft System Health Agent HP Printer 802.1X/TLS Windows Unix Mac 802.1X Clients without Posture Collectors Lockdown Proxy Access Requestor Linksys Network Attached Storage Pingtel Phone VLANs Production Contractor Quarantine Guest Cross-VLAN Firewall Packet Filters Internet Introduction to NAC Switches and APs with full framework capability doing VLAN assignment Cisco Enterasys Extreme HP Auth by 802.1X Switches APs Network Enforcement Point Enforcement Spectrum Enforcement by: VLAN Switches ACL / Filter QOS Captive Portals Edge Enforcement APs Network Enforcement Point Non-Edge Enforcement Cisco CCA Juniper ScreenOS NAC-capable switches Cisco Enterasys Extreme HP Trapeze Cisco Enterasy s Extreme HP Cisco Extreme HP Trapeze Juniper firewall Juniper IDP RADIUS router (proxy) Extreme Sentriant NG sensor postur e Extreme Sentriant AG Trend Micro LANDesk Cisco CSA internal Posture Validators Server Broker & EAP-FAST Network Access Authority Q1 Wave Systems Cisco ACS PatchLink internal Posture Validators Server Broker & EAP-JEAP Network Access Authority Juniper UAC Posture Validators ID Engines Ignition internal Server Broker & EAP-PEAP Network Access Authority Posture Validators OSC Radiator internal Server Broker & EAP-TTLS Network Access Authority Posture Validators Trend Micro internal Server Broker & EAP-PEAP Network Access Authority User authentication Great Bay Beacon Device phones database printers badge readers Cisco CCA non-nac clients Active Directory User database WildPacket s analyzer Network Access Control Non 802.1X Clients Data center Microsoft NPS Las Vegas 2007

29 Where can you learn more? White Papers available in the Interop Labs: What is Network Admission Control? What is 802.1X? Getting Started with Network Admission Control What is the TCG s Trusted Network Connect? What is Microsoft Network Access Protection? What is Cisco Network Admission Control? What is the IETF s Network Endpoint Assessment? Switch Functionality for 802.1X-based NAC Exception Cases and NAC Get the NAC of Troubleshooting NAC Resources Free USB key to the first 600 attendees! (has all NAC and VOIP materials) Interop Labs Network Access Control, May 2007, Page 29

30 NAC Lab Participants In ter o pl a bs N A C Te am M embers Kare n O'D o noghu e, U S Navy, Te a m L e ad Kevi n Koste r, C loud p at h N e tworks Bill Clary l, gran d m o therboar d.org Jef f F u lso m, Univ o f U t ah Joel Snyde r, Opus One Mik e McC a uley, O pen Sys t em s Consu l ta n ts Jan Tr u mb o, Opu s One Henry H e, UN H IOL Chris Hessin g, Id e nt i fy En g ines Lynn Ha n ey, Ti p pin g Po i nt Terry S i mons, I de n tit y Engi n es In ter o pl a bs N A C Vendor E n g i n eers Th o mas Ho w ard, Cisc o Sy s tem s, In c. Mark Townsen d, E n terasys Mik e Skri p ek, E x tr e me N etworks Charles Owens, Gr e a t B ay S o ftware Eric H ol t on, H P Procurve Bre t Jorda n, Id e nt i fy E n gines Bo b F i ler, Juni p er N e tworks Chrisita n McDona l d, Junipe r N e tworks Denzil Wessels, Jun i per N e tworks S t eve H a nna, Jun i per N etworks Oliver C hun g, L ockdown Net w orks P a t Fe t ty, Microso f t Don G onzale s, P a tchlink Sco tt V a nwa r t, Q 1 Labs Ti m McCarth y, Trapez e N e tworks Ryan Ho l lan d, Tren d M icro Alw i n Y u, Tren d M icro A mi t Desh p and e, Wave Syst e ms Interop Labs Network Access Control, May 2007, Page 30

31 Thank You! Questions? Interop Labs -- Booth Interop Labs Network Access Control, May 2007, Page 31